US20030079136A1 - Security framework - Google Patents

Security framework Download PDF

Info

Publication number
US20030079136A1
US20030079136A1 US10/175,942 US17594202A US2003079136A1 US 20030079136 A1 US20030079136 A1 US 20030079136A1 US 17594202 A US17594202 A US 17594202A US 2003079136 A1 US2003079136 A1 US 2003079136A1
Authority
US
United States
Prior art keywords
user
application
access
permission
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/175,942
Inventor
Emmanuel Ericta
Sharon Smithwick
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nasdaq Inc
Original Assignee
Nasdaq Stock Market Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nasdaq Stock Market Inc filed Critical Nasdaq Stock Market Inc
Priority to US10/175,942 priority Critical patent/US20030079136A1/en
Assigned to NASDAQ STOCK MARKET, INC., THE reassignment NASDAQ STOCK MARKET, INC., THE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ERICTA, EMMANUEL, SMITHWICK, SHARON
Publication of US20030079136A1 publication Critical patent/US20030079136A1/en
Assigned to JP MORGAN CHASE BANK, N.A. reassignment JP MORGAN CHASE BANK, N.A. SECURITY AGREEMENT Assignors: NASDAQ STOCK MARKET, INC., THE
Assigned to THE NASDAQ STOCK MARKET, INC. reassignment THE NASDAQ STOCK MARKET, INC. TERMINATION AND RELEASE AGREEMENT Assignors: JPMORGAN CHASE BANK N.A., AS ADMINISTRATIVE AGENT
Assigned to BANK OF AMERICA, N.A. AS COLLATERAL AGENT reassignment BANK OF AMERICA, N.A. AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: THE NASDAQ STOCK MARKET, INC.
Assigned to THE NASDAQ STOCK MARKET, INC. reassignment THE NASDAQ STOCK MARKET, INC. RELEASE OF SECURITY INTEREST IN PATENTS Assignors: BANK OF AMERICA, N.A.
Assigned to NASDAQ OMX GROUP, INC., THE reassignment NASDAQ OMX GROUP, INC., THE CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: NASDAQ STOCK MARKET, INC., THE
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • This invention relates to network-based security.
  • Computer networks allow computer users to share information and data files.
  • a user when logging into a computer network, is typically required to enter a user I.D. and password that identifies the user, grants the user access, and assigns the user rights to resources available on the network.
  • a process residing on a server, regulates the application functionality and network access of a user.
  • An application permission configuration process assigns an application permission token to one or more application functionalities of an application running on the server.
  • a user permission configuration process regulates the access a user has to the application permission tokens assigned by the application permission configuration process. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality.
  • a database stores the application permission tokens of the application and the application rights of the user.
  • the application permission configuration process includes a functionality configuration process for defining the application functionalities (e.g., a web-based process or a uniform resource locator available on a website).
  • An application record maintenance process produces an application database record for the application running on the server.
  • An application token record maintenance process produces an application token database record for each application permission token assigned to the application functionalities of the application running on the server.
  • a user record maintenance process produces a user database record for the user.
  • the database includes a network domain database (e.g., a Windows NT tm domain user and group database) and a security framework database (e.g., a SQL database).
  • the application database records, application token database records, and user database records are stored on both the network domain database and the security framework database.
  • a user enrollment process authenticates a newly-added user by requiring the newly-added user to prove their identity.
  • An authenticity certificate is then produced for and provided to the newly-added user.
  • This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting any data communicated between the user's computer and the server.
  • a network authentication process authenticates a user upon login by comparing information encoded within the authenticity certificate to information stored on the database.
  • the user enrollment process includes a user personal information input process that requires the newly-added user to provide personal information prior to the creation of their authenticity certificate.
  • the user enrollment process also includes a manual verification process that requires an administrator to approve the personal information entered by the user.
  • a role maintenance process maintains a user group such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process.
  • a folder permission configuration process assigns a folder permission token to one or more folders within a directory structure.
  • the user permission configuration process is configured to regulate the access of the user to these folder permission tokens assigned by the folder permission configuration process. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder.
  • a folder token record maintenance process produces a folder token database record for each folder permission token assigned to the folders within a directory structure. These folders maybe a directory folder within the file directory of the server or a file transfer protocol (FTP) folder on an FTP server.
  • FTP file transfer protocol
  • a method for regulating the application functionality and network access of a user includes assigning an application permission token to one or more application functionalities of an application running on the server.
  • the access that a user has to these application permission tokens is regulated.
  • This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality.
  • the application permission tokens of the application and the application access rights of the user are stored on a database.
  • Assigning an application permission token includes defining the application functionalities.
  • An application database record is produced for each application running on the server.
  • An application token database record is produced for each application permission token assigned to the application functionalities of the application running on the server.
  • a user database record is produced for each user of the server.
  • Newly-added users are authenticated by requiring the newly-added users to prove their identify.
  • An authenticity certificate is then produced for and provided to the newly-added user.
  • the authenticity certificate identifies the newly-added user and includes a unique encryption key that encrypts any data communicated between the user's computer and the server.
  • the user is authenticated upon login by comparing the information encoded within the authenticity certificate to the information stored on the database.
  • Authenticating newly-added users further includes requiring the newly-added user to provide personal information prior to the creation of the authenticity certificate and requiring an administrator to approve the personal information entered by the user.
  • a user group is produced such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process.
  • a folder permission token is assigned to one or more folders within a directory structure. Regulating the access of a user is configured to regulate the access of a user to the folder permission tokens assigned by the assigning a folder permission token. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder.
  • a folder token database record is produced for each folder permission token assigned to the folders within the directory structure.
  • a computer program product which resides on a computer readable medium, has a plurality of instructions stored on it. When executed by the processor, these instructions cause the processor to assign an application permission token to one or more application functionalities of an application running on a server.
  • the computer program product regulates the access of a user to the application permission tokens assigned by the assigning an application permission token. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality.
  • Computer program products stores, on a database, the application permission tokens of the application and the application access rights of the user.
  • Network security can be enhanced. By allowing an administrator to assign tokens to the various functionalities of an application, user access rights can be fine tuned to an enhanced level. By combining traditional logon procedures (i.e., user names and passwords) with authenticity certificates, network security can be further enhanced. By utilizing tokens to assign rights to individual folders within an FTP directory structure, the folder access can also be refined and enhanced.
  • FIG. 1 is a block diagram of a network security process
  • FIG. 2 is a flow chart depicting a method for providing network security.
  • a process 10 regulates the application functionality and network access of a user 12 .
  • Process 10 resides on a storage device 14 on server 16 .
  • This storage device 14 can be a hard disk drive, a tape drive, an optical drive a RAID array, a random access memory (RAM), or a read-only memory (ROM).
  • Distributed computing network 18 can be the Internet, an intranet, a local area network, an extranet, or any other form of network environment.
  • Process 10 is typically administered by an administrator 20 using a graphical user interface (not shown) running on a remote computer 22 , which is also connected to network 18 .
  • the graphical user interface can be a web browser, such as Microsoft, Internet ExplorerTM or Netscape NavigatorTM.
  • a network user 12 typically accesses process 10 and the data and resources stored on storage device 14 through a remote computer 24 that is also connected to network 18 .
  • Process 10 is typically a web-enabled process that is accessible through a web browser. Since web browsers are cross-platform compatible, by configuring process 10 so that it is a web-based process, any hardware compatibility issues concerning remote computers 22 , 24 are reduced.
  • Server 16 runs web server software, such as Microsoft Internet Information Server tm, to facilitate process 10 operation in a web environment.
  • Process 10 includes an application permission configuration process 26 that allows administrator 20 to assign an application permission token to one or more application functionalities 32 , 34 , 36 of an application 28 , 30 running on server 16 .
  • These application functionalities 32 , 34 , 36 can be any process or sub-process of an application. Additionally, if the application is a web-based application usable through a web-browser, a functionality could be an embedded link, such a URL. Examples of these application functionalities 32 , 34 , 36 are: a print file command; a save file command; a open file command; a link to a remote website; a report generation command; a report review command; a database query; for example.
  • Application permission tokens “at1”, “at2”, and “at3” are unique identifiers used by process 10 to identify each application functionality of the application to which they are assigned.
  • “at1” may be an application permission token that corresponds to a database query command on a web page
  • “at2” may be an application permission token that corresponds to a compiled report command on a web page
  • “at3” may be an application permission token that corresponds to a print report command on a web page, such that each of these commands represents a unique functionality of the application.
  • Application functionality 32 , 34 , 36 can be individual applets or links within a web page, or commands and procedures available in non-web-base applications, such as word processors, spreadsheets, databases, etc.
  • an application functionality can be the new file command in a word processor, the print file command in a word processor, the recalculate command in a spreadsheet, the edit query command in a database, the redraw command in a graphics program, etc.
  • an application functionality can be a link (i.e., URL) that allows a user to access another web page or web-based process, or the application functionality can be the web-based process itself.
  • a link on that homepage to an employee name directory web page may be an application functionality that is restricted, via permission tokens, so that only low-level managers (and above) can access this page.
  • an employee search query box that allows users to search the employee records to determine various pieces of semi-confidential information (such as starting dates, home addresses, etc.).
  • this search command within this employee name directory web page may be configured as a separate application functionality and, therefore, further restricted (via permission tokens) so that only mid-level managers (and above) can execute that search command and view the search results.
  • this employee name directory web page there is a separate link that goes to an employee salary webpage that lists the salary of each employee within the company. Obviously, this is highly confidential information that should only be made available to high level managers within the company. Therefore, the link to this employee salary webpage is a separate application functionality that is further restricted, via permission tokens, so that only high level managers have access to this sensitive information.
  • a functionality configuration process 38 incorporated into application permission configuration process 26 is used by administrator 20 to assign application permission tokens to various application functionalities of the application being configured.
  • Administrator 20 can assign application permission tokens to as many or as few application functionalities of the application. Accordingly, administrator 20 can fully control and configure the access intricacy level associated with an application.
  • Process 10 maintains a database 40 , which typically resides on storage device 14 that specifies each application 28 , 30 and application permission token “at1”, “at2”, and “at3”, configured by administrator 20 .
  • database 40 is modified to include a record for that newly-configured application. Information included in this record can be information concerning the manufacturer of the program, the name of the program, the version of the program, the date configured, etc. Additionally, each application permission token “at1”, “at2”, and “at3”, added for any application 28 , 30 will have its own database record.
  • the nomenclature of these database records is such that the name of the record for an application permission token references the application to which that application permission token belongs. For example, if the database application record for an application installed on server 16 is “app1”, the database record for the first application permission token for that application may be “app1t1”. Examples of the information included in the database record for an application permission token include the name of the application permission token, the application to which it is associated, the application functionality to which it is associated, etc. Examples of database 40 are a SQLTM database, an OracleTM database, a SybaseTM database, an AccessTM database, etc.
  • Process 10 includes an application record maintenance process 42 for producing the database records for each application (e.g., 28 , 30 ) configured by administrator 20 . Additionally, an application token record maintenance process 44 produces the database record for each application permission token (e.g., “at1”, “at2”, and “at3”) configured by administrator 20 .
  • Database 46 is the network domain database of the network operating system (NOS) that runs on server 16 and allows communication over network 18 .
  • NOS network operating system
  • network operating systems such as Windows NT ServerTM, Windows 2000 Advanced ServerTM, and Novell NetwareTM, use an internal database to administer these network operating systems.
  • these databases include database records for network users, services installed by the network, applications available on the network, user groups, security rights, etc.
  • This database 46 that is produced and maintained by the network operating system running on server 16 is also modified by process 10 each time an application 28 , 30 or an application permission token “at1”, “at2”, “at3” is configured by administrator 20 .
  • database 46 mirrors the information included in database 40 .
  • database 40 is a specialized database produced and maintained by process 10
  • the individual records in database 40 contain more information than the corresponding records in database 46 .
  • an application record is produced in database 46 .
  • an application permission token database record is also produced in database 46 .
  • application token database records are configured as groups in databases 40 and 46 and any user who is a member of these groups has access to that application permission token and, therefore, the application functionality associated with that application permission token.
  • process 10 includes a user record maintenance process 48 that allows administrator 20 to add and delete (i.e., manage) users 12 from process 10 .
  • a user database record is produced in databases 40 and 46 .
  • each of these databases includes a record for each application permission token configured by administrator 20 .
  • a role maintenance process 50 allows for the production of such user groups. Through role maintenance process 50 , administrator 20 can define a user group in which its members all have equivalent permission to various application permission tokens (e.g., “at1”, “at2”, and “at3”). Therefore, by making a user 12 a member of a user group produced by role maintenance process 50 , that user will have the rights of the group as defined by administrator 20 , namely access to the specific application permission tokens defined by administrator 20 .
  • process 10 can also control a user's access to various folders and sub-folders within a directory structure.
  • a folder permission configuration process 52 assigns a folder permission token (e.g., “ft1”) to one or more folders 54 within a directory structure 55 .
  • Directory structure 55 may be the file structure of a file transfer protocol a (FTP) server or may be the folders or directories of a local hard drive or remote server drive.
  • FTP file transfer protocol
  • a user permission configuration process 54 regulates the access that user 12 has to the application and/or folder permission tokens (which were assigned by administrator 20 using either application permission configuration process 26 or folder permission configuration process 52 ). This, in turn, regulates the access that user 12 has to the related application functionalities and/or folders.
  • user permission configuration process 54 accesses the user database record for that user to determine if they have access to the tokens associated with these functionalities and/or folders.
  • these can be discrete access rights to specific tokens or can be membership in a group in which all members of the group have defined access rights.
  • user 12 does not have the proper application access rights (for a specific application functionality) or folder access rights (for a specific folder in a directory structure) that user's access to the application functionalities and/or folder contents respectively will be denied.
  • a folder token record maintenance process 56 updates databases 40 and 46 to include a folder token database record for each folder permission token (e.g., “ftl”) assigned by administrator 20 .
  • a user enrollment process 58 that requires the user to prove their identity when they first log into server 16 .
  • administrator 20 adds user 12
  • the administrator assigns them a user name and a temporary password.
  • user 12 subsequently logs into process 10 using that user name and temporary password, that login itself can serve as proof of their identity.
  • user 12 may be required (by user enrollment process 58 ) to provide sensitive information known only to the user (e.g., the user's social security number, mother's maiden name, favorite pet's name, etc.).
  • Authenticity certificate 60 is typically stored on the remote computer 24 that user 12 uses to access server 16 and process 10 .
  • Authenticity certificate 60 identifies the user (typically using some form of serial number) and may include a unique encryption key (not shown) for encrypting any data communicated between the user's computer 22 and server 16 . Therefore, any future communications between these computers will utilize encrypted data.
  • this authenticity certificate 60 is produced for newly-added user 12 , that user may be required to enter personal information about themselves in order to complete the enrollment process. If this personal information is desired/required by administrator 20 , a user personal information input process 62 requires user 12 to enter this information upon first logging into server 16 . Examples of this information are first name, middle name, last name, home address, city, state, zip, home phone number, date of birth, date of employment, job title, etc.
  • administrator 20 may configure user personal information input process 62 so that the authenticity certificate 60 is not produced until after the user submits the personal information and it is accepted.
  • a manual verification process 64 may require that the personal information entered by user 12 be approved by administrator 20 prior to user 12 completing the enrollment process. Therefore, user 12 may not receive the authenticity certificate 60 until not only the new user enters their personal information, but that information is reviewed and approved by administrator 20 .
  • the authenticity certificate 60 will be provided to user 12 .
  • this authenticity certificate 60 is stored locally on user's computer 22 .
  • user 12 When user 12 logs into server 16 , user 12 will be prompted for their user name and password.
  • process 10 Upon acceptance of the user name and password by server 16 , process 10 , and the network operating system running on server 16 , the user database record for user 12 will be accessed from database 40 and/or 46 .
  • these user database records typically identify the user by a unique serial number that is also included on that user's certificate of authenticity 60 . Therefore once process 10 obtains the serial number for user 12 from databases 40 and/or 46 , process 10 requests a copy of the certificate stored locally on user's computer 22 . A network authentication process 57 then compares the serial number encoded within certificate of authenticity 60 to the serial number in that user's database record.
  • administrator 20 may import a text file (not shown) from a remote computer (not shown) such as a main frame. This would enable process 10 to be quickly configured such that the access rights specified by process 10 are identical to the access rights of the users of a process running on a remote computer, thus allowing for rapid system deployment and configuration.
  • a session management process 66 polices and verifies the integrity of the sessions (or connections) between the users (e.g., user 12 ) and process 10 .
  • Session management process 66 includes an inactivity timer 68 for monitoring the amount of time that a session has been inactive (e.g., no data or information entered by the user). In the event that the session has been inactive for greater than a defined period of time (as defined by administrator 20 ), that session is disconnected. Therefore, if disconnected, user 12 will be required to reestablish the session before they may continue to use process 10 .
  • the length of this defined period of time may be varied depending on the particular application that the user is working on.
  • Session management process 66 also includes an point-in-time timeout process 70 for disconnecting sessions at an administrator-defined point in time. This enables all sessions (or a portion thereof) to be disconnected at a specific time of day, thus allowing, for example, the performance of maintenance tasks on process 10 or server 16 .
  • session management process 66 includes a session restriction process 72 that prevents multiple users from logging into process 10 and/or server 16 using a single user ID.
  • a session restriction process 72 that prevents multiple users from logging into process 10 and/or server 16 using a single user ID.
  • server 16 that user is prompted to enter their user name and password.
  • process 10 Upon acceptance of the user name and password by server 16 , process 10 , and the network operating system running on server 16 , the user database record for user 12 is accessed from database 40 and/or 46 .
  • a session record is created (in database 40 ) for the user's current session.
  • Written into this session record is a unique browser ID that is obtained from the web browser that user 12 is using to access process 10 .
  • This session record uniquely identifies the computer currently being used by user 12 and, therefore, uniquely identifies that user's current session. Further, each time a new session is established for user 12 , a new session record is created and any previously established session is suspended.
  • Session restriction process 72 may be interfaced with user record maintenance process 48 so that in the event that multiples users log in (or attempt to log in) using a single user ID, user record maintenance process 48 disables or deletes that user ID. This is done on the premise that the confidentiality of that user ID was compromised and, therefore, a new user ID should be created for that user.
  • FIG. 2 a method 100 for regulating the application functionality and network access of a user is shown.
  • An application permission token is assigned 102 to one or more application functionalities of an application running on a server.
  • the access rights of the user are defined in that a user who has access to an application permission token is granted access to its related application functionality.
  • These application permission tokens of the application and the application access rights of the user are stored 106 on a database.
  • An administrator defines 108 the application functionalities of an application.
  • An application database record is maintained 110 for each application running on the server. Further, an application database record is also maintained 112 for each application permission token assigned to the application functionalities of the application running on the server. Additionally, a user database record is maintained for each user who has access to the system.
  • Newly-added users are authenticated 116 by requiring the newly-added user to prove their identity. Once their identity is proven, an authenticity certificate is produced for and provided to 118 the newly-added user. This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting 120 the data communicated between the user's computer and the server. A user is authenticated 122 upon log in by comparing the information encoded within the authenticity certificate to information stored on the database.
  • a newly-added user may be required 124 to provide personal information prior to the creation of the authenticity certificate. Additionally, the administrator may require 126 that the personal information entered by the user be approved prior to the creation of the authenticity certificate.
  • a user group is maintained 128 such that all members of the user group have equivalent access to the permission tokens assigned by the administrator.
  • a folder permission token is assigned 130 to one or more folders within a directory structure. These folder permission tokens are then used to regulate the access of a user to the particular folders within the directory structure. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder.
  • a folder token database record is produced 132 for each folder permission token assigned to the folders within the directory structure.

Abstract

A process, which resides on a server, regulates the application functionality and network access of a user. An application permission configuration process assigns an application permission token to one or more application functionalities of an application running on the server. A user permission configuration process regulates the access of a user to the application permission tokens assigned by the application permission configuration process. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. A database stores the application permission tokens of the application and the application access rights of the user.

Description

    RELATED APPLICATIONS
  • This application claims the priority of U.S. Provisional Patent Application No. 60/313,954, filed on Aug. 21, 2001, and entitled “Web Security Framework”.[0001]
    • BACKGROUND
  • This invention relates to network-based security. [0002]
  • Computer networks (e.g., local area networks, wide area networks, intranets, extranets, the internet, etc.) allow computer users to share information and data files. A user, when logging into a computer network, is typically required to enter a user I.D. and password that identifies the user, grants the user access, and assigns the user rights to resources available on the network. [0003]
  • As the level of access granted to users typically varies from user to user, the resources, data files, and applications available to the individual users will also vary. [0004]
  • Computer networks that provide access to sensitive data often use data encryption and enhanced security procedures to prevent unauthorized access to the sensitive data and system resources of the network. [0005]
    • SUMMARY
  • According to an aspect of this invention, a process, residing on a server, regulates the application functionality and network access of a user. An application permission configuration process assigns an application permission token to one or more application functionalities of an application running on the server. A user permission configuration process regulates the access a user has to the application permission tokens assigned by the application permission configuration process. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. A database stores the application permission tokens of the application and the application rights of the user. [0006]
  • One or more of the following features may also be included. The application permission configuration process includes a functionality configuration process for defining the application functionalities (e.g., a web-based process or a uniform resource locator available on a website). An application record maintenance process produces an application database record for the application running on the server. An application token record maintenance process produces an application token database record for each application permission token assigned to the application functionalities of the application running on the server. A user record maintenance process produces a user database record for the user. [0007]
  • The database includes a network domain database (e.g., a Windows NT tm domain user and group database) and a security framework database (e.g., a SQL database). The application database records, application token database records, and user database records are stored on both the network domain database and the security framework database. [0008]
  • A user enrollment process authenticates a newly-added user by requiring the newly-added user to prove their identity. An authenticity certificate is then produced for and provided to the newly-added user. This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting any data communicated between the user's computer and the server. A network authentication process authenticates a user upon login by comparing information encoded within the authenticity certificate to information stored on the database. [0009]
  • The user enrollment process includes a user personal information input process that requires the newly-added user to provide personal information prior to the creation of their authenticity certificate. The user enrollment process also includes a manual verification process that requires an administrator to approve the personal information entered by the user. [0010]
  • A role maintenance process maintains a user group such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process. [0011]
  • A folder permission configuration process assigns a folder permission token to one or more folders within a directory structure. The user permission configuration process is configured to regulate the access of the user to these folder permission tokens assigned by the folder permission configuration process. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder. A folder token record maintenance process produces a folder token database record for each folder permission token assigned to the folders within a directory structure. These folders maybe a directory folder within the file directory of the server or a file transfer protocol (FTP) folder on an FTP server. [0012]
  • According to a further aspect of this invention, a method for regulating the application functionality and network access of a user includes assigning an application permission token to one or more application functionalities of an application running on the server. The access that a user has to these application permission tokens is regulated. This, in turn, defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. The application permission tokens of the application and the application access rights of the user are stored on a database. [0013]
  • One or more of the following features maybe included. Assigning an application permission token includes defining the application functionalities. An application database record is produced for each application running on the server. An application token database record is produced for each application permission token assigned to the application functionalities of the application running on the server. A user database record is produced for each user of the server. Newly-added users are authenticated by requiring the newly-added users to prove their identify. An authenticity certificate is then produced for and provided to the newly-added user. The authenticity certificate identifies the newly-added user and includes a unique encryption key that encrypts any data communicated between the user's computer and the server. The user is authenticated upon login by comparing the information encoded within the authenticity certificate to the information stored on the database. Authenticating newly-added users further includes requiring the newly-added user to provide personal information prior to the creation of the authenticity certificate and requiring an administrator to approve the personal information entered by the user. [0014]
  • A user group is produced such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process. [0015]
  • A folder permission token is assigned to one or more folders within a directory structure. Regulating the access of a user is configured to regulate the access of a user to the folder permission tokens assigned by the assigning a folder permission token. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder. A folder token database record is produced for each folder permission token assigned to the folders within the directory structure. [0016]
  • According to a further aspect of this invention, a computer program product, which resides on a computer readable medium, has a plurality of instructions stored on it. When executed by the processor, these instructions cause the processor to assign an application permission token to one or more application functionalities of an application running on a server. The computer program product regulates the access of a user to the application permission tokens assigned by the assigning an application permission token. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. Computer program products stores, on a database, the application permission tokens of the application and the application access rights of the user. [0017]
  • One or more advantages can be provided from the above. Network security can be enhanced. By allowing an administrator to assign tokens to the various functionalities of an application, user access rights can be fine tuned to an enhanced level. By combining traditional logon procedures (i.e., user names and passwords) with authenticity certificates, network security can be further enhanced. By utilizing tokens to assign rights to individual folders within an FTP directory structure, the folder access can also be refined and enhanced. [0018]
  • The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the invention will be apparent from the description and drawings, and from the claims.[0019]
    • DESCRIPTION OF DRAWINGS
  • FIG. 1 is a block diagram of a network security process; and [0020]
  • FIG. 2 is a flow chart depicting a method for providing network security.[0021]
    • DETAILED DESCRIPTION
  • Referring to FIG. 1, a [0022] process 10 regulates the application functionality and network access of a user 12. Process 10 resides on a storage device 14 on server 16. This storage device 14 can be a hard disk drive, a tape drive, an optical drive a RAID array, a random access memory (RAM), or a read-only memory (ROM). Distributed computing network 18 can be the Internet, an intranet, a local area network, an extranet, or any other form of network environment. Process 10 is typically administered by an administrator 20 using a graphical user interface (not shown) running on a remote computer 22, which is also connected to network 18. The graphical user interface can be a web browser, such as Microsoft, Internet Explorer™ or Netscape Navigator™. A network user 12 typically accesses process 10 and the data and resources stored on storage device 14 through a remote computer 24 that is also connected to network 18.
  • [0023] Process 10 is typically a web-enabled process that is accessible through a web browser. Since web browsers are cross-platform compatible, by configuring process 10 so that it is a web-based process, any hardware compatibility issues concerning remote computers 22, 24 are reduced. Server 16 runs web server software, such as Microsoft Internet Information Server tm, to facilitate process 10 operation in a web environment.
  • [0024] Process 10 includes an application permission configuration process 26 that allows administrator 20 to assign an application permission token to one or more application functionalities 32, 34, 36 of an application 28, 30 running on server 16. These application functionalities 32, 34, 36 can be any process or sub-process of an application. Additionally, if the application is a web-based application usable through a web-browser, a functionality could be an embedded link, such a URL. Examples of these application functionalities 32, 34, 36 are: a print file command; a save file command; a open file command; a link to a remote website; a report generation command; a report review command; a database query; for example. Application permission tokens “at1”, “at2”, and “at3” are unique identifiers used by process 10 to identify each application functionality of the application to which they are assigned. For example, “at1” may be an application permission token that corresponds to a database query command on a web page, “at2” may be an application permission token that corresponds to a compiled report command on a web page, and “at3” may be an application permission token that corresponds to a print report command on a web page, such that each of these commands represents a unique functionality of the application. By regulating the access that a user 12 has to these application permission tokens “at1”, “at2” and “at3”, the users' access to the various application functionalities 32, 34, 36 of an application 28 can be controlled.
  • The individual application functionalities of the [0025] application 28 are configured by administrator 20 using computer 22. Application functionality 32, 34, 36 can be individual applets or links within a web page, or commands and procedures available in non-web-base applications, such as word processors, spreadsheets, databases, etc. For example, an application functionality can be the new file command in a word processor, the print file command in a word processor, the recalculate command in a spreadsheet, the edit query command in a database, the redraw command in a graphics program, etc.
  • Concerning web-based applications and web pages, an application functionality can be a link (i.e., URL) that allows a user to access another web page or web-based process, or the application functionality can be the web-based process itself. For example, the intranet homepage of a company's internal website may be accessible by all employees. However, a link on that homepage to an employee name directory web page may be an application functionality that is restricted, via permission tokens, so that only low-level managers (and above) can access this page. On this employee name directory web page is an employee search query box that allows users to search the employee records to determine various pieces of semi-confidential information (such as starting dates, home addresses, etc.). The use of this search command within this employee name directory web page may be configured as a separate application functionality and, therefore, further restricted (via permission tokens) so that only mid-level managers (and above) can execute that search command and view the search results. Further, assume that also within this employee name directory web page, there is a separate link that goes to an employee salary webpage that lists the salary of each employee within the company. Obviously, this is highly confidential information that should only be made available to high level managers within the company. Therefore, the link to this employee salary webpage is a separate application functionality that is further restricted, via permission tokens, so that only high level managers have access to this sensitive information. [0026]
  • During initial configuration of an [0027] application 28 by administrator 20, a functionality configuration process 38 incorporated into application permission configuration process 26 is used by administrator 20 to assign application permission tokens to various application functionalities of the application being configured. Administrator 20 can assign application permission tokens to as many or as few application functionalities of the application. Accordingly, administrator 20 can fully control and configure the access intricacy level associated with an application.
  • [0028] Process 10 maintains a database 40, which typically resides on storage device 14 that specifies each application 28, 30 and application permission token “at1”, “at2”, and “at3”, configured by administrator 20. Each time an application is initially configured by administrator 20, database 40 is modified to include a record for that newly-configured application. Information included in this record can be information concerning the manufacturer of the program, the name of the program, the version of the program, the date configured, etc. Additionally, each application permission token “at1”, “at2”, and “at3”, added for any application 28, 30 will have its own database record.
  • Typically, the nomenclature of these database records is such that the name of the record for an application permission token references the application to which that application permission token belongs. For example, if the database application record for an application installed on [0029] server 16 is “app1”, the database record for the first application permission token for that application may be “app1t1”. Examples of the information included in the database record for an application permission token include the name of the application permission token, the application to which it is associated, the application functionality to which it is associated, etc. Examples of database 40 are a SQL™ database, an Oracle™ database, a Sybase™ database, an Access™ database, etc. Process 10 includes an application record maintenance process 42 for producing the database records for each application (e.g., 28, 30) configured by administrator 20. Additionally, an application token record maintenance process 44 produces the database record for each application permission token (e.g., “at1”, “at2”, and “at3”) configured by administrator 20.
  • In addition to [0030] database 40, which is a stand-alone database produced and maintained by process 10, a second database 46 is also modified and maintained by process 10. Database 46 is the network domain database of the network operating system (NOS) that runs on server 16 and allows communication over network 18. Specifically, network operating systems, such as Windows NT Server™, Windows 2000 Advanced Server™, and Novell Netware™, use an internal database to administer these network operating systems. Typically, these databases include database records for network users, services installed by the network, applications available on the network, user groups, security rights, etc. This database 46 that is produced and maintained by the network operating system running on server 16 is also modified by process 10 each time an application 28, 30 or an application permission token “at1”, “at2”, “at3” is configured by administrator 20. Typically, database 46 mirrors the information included in database 40. However, being database 40 is a specialized database produced and maintained by process 10, the individual records in database 40 contain more information than the corresponding records in database 46. Accordingly, each time an application 28, 30 is configured in process 10 by administrator 20, an application record is produced in database 46. Additionally, each time an application permission token “at1”, “at2”, “at3” is configured in process 10 by administrator 20, an application token database record is also produced in database 46. Typically, application token database records are configured as groups in databases 40 and 46 and any user who is a member of these groups has access to that application permission token and, therefore, the application functionality associated with that application permission token.
  • In addition to configuring applications and permission tokens “at1”, “at2”, “at3”, the administrator also configures the [0031] individual users 12 of process 10. The users are configured so that a user's access to the application functionalities 32, 34, 36 of an application 28 can be regulated. Accordingly, process 10 includes a user record maintenance process 48 that allows administrator 20 to add and delete (i.e., manage) users 12 from process 10. Each time administrator 20 produces a user 12 on process 10, a user database record is produced in databases 40 and 46. As stated above, each of these databases includes a record for each application permission token configured by administrator 20. Further, as stated above, by granting a user access to these application permission tokens “at1”, “at2”, “at3”, user 12 gains access to the application functionalities associated with each one of these tokens. Therefore, since each database record concerning an application permission token is configured as a group, by adding a user (i.e., making them a member) to one of these groups, that user would have access to that application permission token and, therefore, the functionality related to that application permission token. In the event that a user's access is changed, this user can be added to or removed from the database records (i.e., groups) of each application permission token via user record maintenance process 48.
  • Typically, similarly situated users are granted identical access rights. For example, it is not uncommon for all new employees at a company to be granted only basic access rights, while mid-level management has enhanced rights, upper level management has superior rights, and administrators have complete access. Accordingly, it is desirable to be able to configure each of these various levels of access rights as a separate group, such that all the members of the group have the same access rights. This allows [0032] administrator 20 to quickly configure users by adding or removing them from these user groups. A role maintenance process 50 allows for the production of such user groups. Through role maintenance process 50, administrator 20 can define a user group in which its members all have equivalent permission to various application permission tokens (e.g., “at1”, “at2”, and “at3”). Therefore, by making a user 12 a member of a user group produced by role maintenance process 50, that user will have the rights of the group as defined by administrator 20, namely access to the specific application permission tokens defined by administrator 20.
  • In addition to the above-described ways in which [0033] process 10 controls a user's access to various application functionalities, process 10 can also control a user's access to various folders and sub-folders within a directory structure. A folder permission configuration process 52 assigns a folder permission token (e.g., “ft1”) to one or more folders 54 within a directory structure 55. Directory structure 55 may be the file structure of a file transfer protocol a (FTP) server or may be the folders or directories of a local hard drive or remote server drive.
  • Regardless of the type of token assigned (i.e., an application permission token or a folder permission token), a user [0034] permission configuration process 54 regulates the access that user 12 has to the application and/or folder permission tokens (which were assigned by administrator 20 using either application permission configuration process 26 or folder permission configuration process 52). This, in turn, regulates the access that user 12 has to the related application functionalities and/or folders.
  • Accordingly, each time a [0035] user 12 tries to access an application functionality 32, 34, 36, and/or a folder 54, user permission configuration process 54 accesses the user database record for that user to determine if they have access to the tokens associated with these functionalities and/or folders. As explained above, these can be discrete access rights to specific tokens or can be membership in a group in which all members of the group have defined access rights. In the event that user 12 does not have the proper application access rights (for a specific application functionality) or folder access rights (for a specific folder in a directory structure) that user's access to the application functionalities and/or folder contents respectively will be denied.
  • As with the application permission tokens, each time a folder permission token is produced, a folder token [0036] record maintenance process 56 updates databases 40 and 46 to include a folder token database record for each folder permission token (e.g., “ftl”) assigned by administrator 20.
  • Each time a new user is added, that newly-added user is authenticated by a [0037] user enrollment process 58 that requires the user to prove their identity when they first log into server 16. Typically, when administrator 20 adds user 12, the administrator assigns them a user name and a temporary password. When user 12 subsequently logs into process 10 using that user name and temporary password, that login itself can serve as proof of their identity. Additionally, upon logging in, user 12 may be required (by user enrollment process 58) to provide sensitive information known only to the user (e.g., the user's social security number, mother's maiden name, favorite pet's name, etc.).
  • Once [0038] user 12 proves their identity to the level required by administrator 20, user enrollment process 58 generates an authenticity certificate 60 that is provided to user 12. Authenticity certificate 60 is typically stored on the remote computer 24 that user 12 uses to access server 16 and process 10. Authenticity certificate 60 identifies the user (typically using some form of serial number) and may include a unique encryption key (not shown) for encrypting any data communicated between the user's computer 22 and server 16. Therefore, any future communications between these computers will utilize encrypted data.
  • Once this [0039] authenticity certificate 60 is produced for newly-added user 12, that user may be required to enter personal information about themselves in order to complete the enrollment process. If this personal information is desired/required by administrator 20, a user personal information input process 62 requires user 12 to enter this information upon first logging into server 16. Examples of this information are first name, middle name, last name, home address, city, state, zip, home phone number, date of birth, date of employment, job title, etc.
  • Alternatively, [0040] administrator 20 may configure user personal information input process 62 so that the authenticity certificate 60 is not produced until after the user submits the personal information and it is accepted. For example, a manual verification process 64 may require that the personal information entered by user 12 be approved by administrator 20 prior to user 12 completing the enrollment process. Therefore, user 12 may not receive the authenticity certificate 60 until not only the new user enters their personal information, but that information is reviewed and approved by administrator 20.
  • Once this personal information is entered by [0041] user 12 and accepted by administrator 20, the authenticity certificate 60 will be provided to user 12. As stated above, this authenticity certificate 60 is stored locally on user's computer 22. When user 12 logs into server 16, user 12 will be prompted for their user name and password. Upon acceptance of the user name and password by server 16, process 10, and the network operating system running on server 16, the user database record for user 12 will be accessed from database 40 and/or 46.
  • As stated above, these user database records typically identify the user by a unique serial number that is also included on that user's certificate of [0042] authenticity 60. Therefore once process 10 obtains the serial number for user 12 from databases 40 and/or 46, process 10 requests a copy of the certificate stored locally on user's computer 22. A network authentication process 57 then compares the serial number encoded within certificate of authenticity 60 to the serial number in that user's database record.
  • In the event that the certificate of [0043] authenticity 60 does not exist, or the serial number encoded within the certificate of authenticity does not match the serial number assigned to that user, user 12 will be denied access to server 16 and process 10. However, if the serial number stored on the user's database record matches the serial number encoded within the certificate of authenticity 60 stored on computer 22, that user 12 will be granted access to server 16 and allowed to log in. At this point, the access rights (both application and folder), will be determined for that user by looking up the tokens (e.g., “at1”, “at2”, “at3” and “ft1”) assigned to that user.
  • In addition to defining the rights of [0044] user 12 manually, administrator 20 may import a text file (not shown) from a remote computer (not shown) such as a main frame. This would enable process 10 to be quickly configured such that the access rights specified by process 10 are identical to the access rights of the users of a process running on a remote computer, thus allowing for rapid system deployment and configuration.
  • A [0045] session management process 66 polices and verifies the integrity of the sessions (or connections) between the users (e.g., user 12) and process 10.
  • [0046] Session management process 66 includes an inactivity timer 68 for monitoring the amount of time that a session has been inactive (e.g., no data or information entered by the user). In the event that the session has been inactive for greater than a defined period of time (as defined by administrator 20), that session is disconnected. Therefore, if disconnected, user 12 will be required to reestablish the session before they may continue to use process 10. The length of this defined period of time may be varied depending on the particular application that the user is working on.
  • [0047] Session management process 66 also includes an point-in-time timeout process 70 for disconnecting sessions at an administrator-defined point in time. This enables all sessions (or a portion thereof) to be disconnected at a specific time of day, thus allowing, for example, the performance of maintenance tasks on process 10 or server 16.
  • Additionally, [0048] session management process 66 includes a session restriction process 72 that prevents multiple users from logging into process 10 and/or server 16 using a single user ID. As stated above, when a user logs into server 16, that user is prompted to enter their user name and password. Upon acceptance of the user name and password by server 16, process 10, and the network operating system running on server 16, the user database record for user 12 is accessed from database 40 and/or 46. A session record is created (in database 40) for the user's current session. Written into this session record is a unique browser ID that is obtained from the web browser that user 12 is using to access process 10. This session record uniquely identifies the computer currently being used by user 12 and, therefore, uniquely identifies that user's current session. Further, each time a new session is established for user 12, a new session record is created and any previously established session is suspended.
  • Therefore, assume that an unauthorized user (not shown) obtained the user name and password of an authorized [0049] user 12 and also obtained a copy of that authorized user's certificate of authenticity 60. If the authorized user 12 is logged into process 10 and the unauthorized user subsequently logs into process 10, a new session record is generated for the unauthorized user (and the unauthorized user's computer browser) and the session record for the session previously established by user 12 is deleted. This, in turn, results in the session of user 12 being terminated. Since user 12 is now prevented from any further use of process 10, user 12 is constructively notified that their user ID, password, and/or certificate were compromised.
  • [0050] Session restriction process 72 may be interfaced with user record maintenance process 48 so that in the event that multiples users log in (or attempt to log in) using a single user ID, user record maintenance process 48 disables or deletes that user ID. This is done on the premise that the confidentiality of that user ID was compromised and, therefore, a new user ID should be created for that user.
  • Referring to FIG. 2, a [0051] method 100 for regulating the application functionality and network access of a user is shown. An application permission token is assigned 102 to one or more application functionalities of an application running on a server. By regulating 104 the access the user has to these application permission tokens, the access rights of the user are defined in that a user who has access to an application permission token is granted access to its related application functionality.
  • These application permission tokens of the application and the application access rights of the user are stored [0052] 106 on a database. An administrator defines 108 the application functionalities of an application. An application database record is maintained 110 for each application running on the server. Further, an application database record is also maintained 112 for each application permission token assigned to the application functionalities of the application running on the server. Additionally, a user database record is maintained for each user who has access to the system.
  • Newly-added users are authenticated [0053] 116 by requiring the newly-added user to prove their identity. Once their identity is proven, an authenticity certificate is produced for and provided to 118 the newly-added user. This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting 120 the data communicated between the user's computer and the server. A user is authenticated 122 upon log in by comparing the information encoded within the authenticity certificate to information stored on the database.
  • A newly-added user may be required [0054] 124 to provide personal information prior to the creation of the authenticity certificate. Additionally, the administrator may require 126 that the personal information entered by the user be approved prior to the creation of the authenticity certificate. A user group is maintained 128 such that all members of the user group have equivalent access to the permission tokens assigned by the administrator.
  • A folder permission token is assigned [0055] 130 to one or more folders within a directory structure. These folder permission tokens are then used to regulate the access of a user to the particular folders within the directory structure. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder. A folder token database record is produced 132 for each folder permission token assigned to the folders within the directory structure.
  • A number of embodiments of the invention have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the invention. Accordingly, other embodiments are within the scope of the following claims. [0056]

Claims (36)

What is claimed is:
1. A process, residing on a server, for regulating application functionality and network access of a user, comprising:
an application permission configuration process for assigning an application permission token to one or more application functionalities of an application running on said server;
a user permission configuration process for regulating the access of a user to said application permission tokens assigned by said application permission configuration process to define application access rights of the user, wherein a user having access to an application permission token is granted access to its related application functionality; and
a database for storing said application permissions tokens of said application and said application access rights of said user.
2. The process of claim 1 wherein said application permission configuration process includes a functionality configuration process for defining said application functionalities.
3. The process of claim 2 wherein said application functionality is a web-based process.
4. The process of claim 2 wherein said application functionality is a uniform resource locator (URL).
5. The process of claim 1 further comprising an application record maintenance process for maintaining an application database record for said application running on said server.
6. The process of claim 5 further comprising an application token record maintenance process for maintaining an application token database record for each said application permission token assigned to said application functionalities of said application running on said server.
7. The process of claim 6 further comprising a user record maintenance process for maintaining a user database record for said user.
8. The process of claim 7 wherein said database includes a network domain database and a security framework database, and said application database records, said application token database records, and said user database records are stored on both said network domain database and said security framework database.
9. The process of claim 1 further comprising a user enrollment process that authenticates a newly-added user by requiring said newly-added user to prove their identity, wherein an authenticity certificate is then produced for and provided to said newly-added user.
10. The process of claim 9 wherein said authenticity certificate identifies said newly-added user and includes an encryption key for encrypting the data communicated between the user's computer and said server.
11. The process of claim 9 further comprising a network authentication process that authenticates a user upon log in by comparing information encoded within said authenticity certificate to information stored on said database.
12. The process of claim 9 wherein said user enrollment process further includes a user personal information input process that requires said newly-added user to provide personal information prior to the creation of said authenticity certificate.
13. The process of claim 1 further comprising a role maintenance process for maintaining a user group such that all members of said user group have equivalent access to said permission tokens assigned by said application permission configuration process.
14. The process of claim 1 further comprising a folder permission configuration process for assigning a folder permission token to one or more folders within a directory structure, wherein said user permission configuration process is configured to regulate the access of a user to said folder permission tokens assigned by said folder permission configuration process, thus defining the folder access rights of said user, wherein a user who has access to a folder permission token is granted access to its related folder.
15. A method for regulating the application functionality and network access of a user, comprising:
assigning an application permission token to one or more application functionalities of an application running on a server;
regulating the access of a user to the application permission tokens assigned by said assigning an application permission token, thus defining the application access rights of the user, wherein a user who has access to an application permission token is granted access to its related application functionality; and
storing, on a database, the application permission tokens of the application and the application access rights of the user.
16. The method of claim 15 wherein said assigning an application permission token includes defining the application functionalities.
17. The method of claim 15 further comprising maintaining an application database record for the application running on the server.
18. The method of claim 15 further comprising maintaining an application token database record for each application permission token assigned to the application functionalities of the application running on the server.
19. The method of claim 15 further comprising maintaining a user database record for the user.
20. The method of claim 15 further comprising authenticating newly-added users by requiring the newly-added user to prove their identity, wherein an authenticity certificate is then produced for and provided to the newly-added user.
21. The method of claim 20 wherein the authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting the data communicated between the user's computer and the server.
22. The method of claim 20 further comprising authenticating a user upon log in by comparing information encoded within the authenticity certificate to information stored on the database.
23. The method of claim 20 wherein said authenticating newly-added users further includes requiring the newly-added user to provide personal information prior to the creation of the authenticity certificate.
24. The method of claim 23 wherein said authenticating newly-added users further includes requiring an administrator to approve the personal information entered by the user.
25. The method of claim 15 further comprising maintaining a user group such that all members of the user group have equivalent access to the permission tokens assigned by said assigning an application permission token.
26. The method of claim 15 further comprising assigning a folder permission token to one or more folders within a directory structure, wherein said regulating the access of a user is configured to regulate the access of a user to the folder permission tokens assigned by said assigning a folder permission token, thus defining the folder access rights of the user, wherein a user who has access to a folder permission token is granted access to its related folder.
27. The method of claim 32 further comprising producing a folder token database record for each folder permission token assigned to the folders within the directory structure.
28. A computer program product residing on a computer readable medium having a plurality of instructions stored thereon that, when executed by the processor, cause the processor to:
assign an application permission token to one or more application functionalities of an application running on a server;
regulate the access of a user to the application permission tokens assigned by said assigning an application permission token, thus defining the application access rights of the user, wherein a user who has access to an application permission token is granted access to its related application functionality; and
store, on a database, the application permission tokens of the application and the application access rights of the user.
29. The computer program product of claim 28 wherein said plurality of instructions further cause the processor to define the application functionalities.
30. The computer program product of claim 28 wherein said plurality of instructions further cause the processor to maintain an application database record for the application running on the server.
31. The computer program product of claim 28 wherein said plurality of instructions further cause the processor to maintain an application token database record for each application permission token assigned to the application functionalities of the application running on the server.
32. The computer program product of claim 28 wherein said plurality of instructions further cause the processor to maintain a user database record for the user.
33. The computer program product of claim 28 wherein said plurality of instructions further cause the processor to authenticate newly-added users by requiring the newly-added user to prove their identity, wherein an authenticity certificate is then produced for and provided to the newly-added user.
34. The computer program product of claim 33 wherein said plurality of instructions further cause the processor to authenticate a user upon log in by comparing information encoded within the authenticity certificate to information stored on the database.
35. The computer program product of claim 33 wherein said plurality of instructions further cause the processor to require the newly-added user to provide personal information prior to the creation of the authenticity certificate.
36. The computer program product of claim 28 wherein said plurality of instructions further cause the processor to maintain a user group such that all members of the user group have equivalent access to the permission tokens.
US10/175,942 2001-08-21 2002-06-20 Security framework Abandoned US20030079136A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/175,942 US20030079136A1 (en) 2001-08-21 2002-06-20 Security framework

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US31395401P 2001-08-21 2001-08-21
US10/175,942 US20030079136A1 (en) 2001-08-21 2002-06-20 Security framework

Publications (1)

Publication Number Publication Date
US20030079136A1 true US20030079136A1 (en) 2003-04-24

Family

ID=26871705

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/175,942 Abandoned US20030079136A1 (en) 2001-08-21 2002-06-20 Security framework

Country Status (1)

Country Link
US (1) US20030079136A1 (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040001101A1 (en) * 2002-06-27 2004-01-01 Koninklijke Philips Electronics N.V. Active window switcher
US20040059587A1 (en) * 2002-09-25 2004-03-25 Astle Robert L. Method and apparatus for associating privileges with people in an organization
DE102004003593A1 (en) * 2004-01-15 2005-08-04 Deutsche Telekom Ag Sending user-specific data based on WAP or HTML protocols involves determining characteristics of user/terminal sending URL information, analyzing for tokens, replacing with user/equipment-specific data for sending to service provider
US20070033588A1 (en) * 2005-08-02 2007-02-08 Landsman Richard A Generic download and upload functionality in a client/server web application architecture
US20070033569A1 (en) * 2005-08-02 2007-02-08 Davidson James G Client/server web application architectures for offline usage, data structures, and related methods
US20070192610A1 (en) * 2006-02-10 2007-08-16 Chun Dexter T Method and apparatus for securely booting from an external storage device
US20080021901A1 (en) * 2006-07-19 2008-01-24 Microsoft Corporation Relational lockdown for an item store
US20080263656A1 (en) * 2005-11-29 2008-10-23 Masaru Kosaka Device, System and Method of Performing an Administrative Operation on a Security Token
US20090319488A1 (en) * 2006-07-10 2009-12-24 Gemalto Server for managing anonymous confidential data
US20100192193A1 (en) * 2009-01-23 2010-07-29 Microsoft Corporation Security restriction techniques for browser-based applications
US20130067597A1 (en) * 2011-09-14 2013-03-14 Samsung Electronics Co., Ltd. System for controlling access to user resources and method thereof
US20140165155A1 (en) * 2012-12-06 2014-06-12 Qualcomm Incorporated Management of network devices utilizing an authorization token
US20140366108A1 (en) * 2003-02-13 2014-12-11 Microsoft Corporation Digital Identity Management
US20160085977A1 (en) * 2014-09-18 2016-03-24 Samsung Electronics Co., Ltd. Token-based scheme for granting permissions
US20180060595A1 (en) * 2016-08-31 2018-03-01 Vmware, Inc. Extensible token-based authorization
CN108123930A (en) * 2016-11-28 2018-06-05 Ssh通信安全公司 Access the host in computer network
US20180262504A1 (en) * 2017-03-08 2018-09-13 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions
US20190007415A1 (en) * 2017-06-29 2019-01-03 Microsoft Technology Licensing, Llc Access control manager
US10361852B2 (en) 2017-03-08 2019-07-23 Bank Of America Corporation Secure verification system
US10374808B2 (en) 2017-03-08 2019-08-06 Bank Of America Corporation Verification system for creating a secure link
US10432595B2 (en) 2017-03-08 2019-10-01 Bank Of America Corporation Secure session creation system utililizing multiple keys
US10635828B2 (en) 2016-09-23 2020-04-28 Microsoft Technology Licensing, Llc Tokenized links with granular permissions
US10733151B2 (en) 2011-10-27 2020-08-04 Microsoft Technology Licensing, Llc Techniques to share media files
US10909045B2 (en) * 2018-12-20 2021-02-02 Arm Limited System, method and apparatus for fine granularity access protection
US11588822B2 (en) * 2017-10-19 2023-02-21 Beijing Jingdong Shangke Information Technology Co., Ltd. Right control method and apparatus for terminal device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US6728884B1 (en) * 1999-10-01 2004-04-27 Entrust, Inc. Integrating heterogeneous authentication and authorization mechanisms into an application access control system
US6785666B1 (en) * 2000-07-11 2004-08-31 Revenue Science, Inc. Method and system for parsing navigation information

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US6728884B1 (en) * 1999-10-01 2004-04-27 Entrust, Inc. Integrating heterogeneous authentication and authorization mechanisms into an application access control system
US6785666B1 (en) * 2000-07-11 2004-08-31 Revenue Science, Inc. Method and system for parsing navigation information

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040001101A1 (en) * 2002-06-27 2004-01-01 Koninklijke Philips Electronics N.V. Active window switcher
US20040059587A1 (en) * 2002-09-25 2004-03-25 Astle Robert L. Method and apparatus for associating privileges with people in an organization
US8473321B2 (en) * 2002-09-25 2013-06-25 Hewlett-Packard Development Company, L.P. Method and apparatus for associating privileges with people in an organization
US20140366108A1 (en) * 2003-02-13 2014-12-11 Microsoft Corporation Digital Identity Management
US9477832B2 (en) * 2003-02-13 2016-10-25 Microsoft Technology Licensing, Llc Digital identity management
DE102004003593A1 (en) * 2004-01-15 2005-08-04 Deutsche Telekom Ag Sending user-specific data based on WAP or HTML protocols involves determining characteristics of user/terminal sending URL information, analyzing for tokens, replacing with user/equipment-specific data for sending to service provider
DE102004003593B4 (en) * 2004-01-15 2016-05-12 Deutsche Telekom Ag Method for transmitting user-specific data based on the WAP or HTML protocol
US20070033588A1 (en) * 2005-08-02 2007-02-08 Landsman Richard A Generic download and upload functionality in a client/server web application architecture
US7594003B2 (en) 2005-08-02 2009-09-22 Aol Llc Client/server web application architectures for offline usage, data structures, and related methods
US9641594B2 (en) 2005-08-02 2017-05-02 Aol Inc. Generic download and upload functionality in a client/server web application architecture
US9043783B2 (en) 2005-08-02 2015-05-26 Aol Inc. Generic download and upload functionality in a client/server web application architecture
US20070033569A1 (en) * 2005-08-02 2007-02-08 Davidson James G Client/server web application architectures for offline usage, data structures, and related methods
US8601475B2 (en) 2005-08-02 2013-12-03 Aol Inc. Download and upload of email messages using control commands in a client/server web application
US20080263656A1 (en) * 2005-11-29 2008-10-23 Masaru Kosaka Device, System and Method of Performing an Administrative Operation on a Security Token
US8387125B2 (en) * 2005-11-29 2013-02-26 K.K. Athena Smartcard Solutions Device, system and method of performing an administrative operation on a security token
US20070192610A1 (en) * 2006-02-10 2007-08-16 Chun Dexter T Method and apparatus for securely booting from an external storage device
US8386518B2 (en) * 2006-07-10 2013-02-26 Gemalto Sa Server for managing anonymous confidential data
US20090319488A1 (en) * 2006-07-10 2009-12-24 Gemalto Server for managing anonymous confidential data
US8250094B2 (en) * 2006-07-19 2012-08-21 Microsoft Corporation Relational lockdown for an item store
US20080021901A1 (en) * 2006-07-19 2008-01-24 Microsoft Corporation Relational lockdown for an item store
US20100192193A1 (en) * 2009-01-23 2010-07-29 Microsoft Corporation Security restriction techniques for browser-based applications
US20130067597A1 (en) * 2011-09-14 2013-03-14 Samsung Electronics Co., Ltd. System for controlling access to user resources and method thereof
US10733151B2 (en) 2011-10-27 2020-08-04 Microsoft Technology Licensing, Llc Techniques to share media files
US9264413B2 (en) * 2012-12-06 2016-02-16 Qualcomm Incorporated Management of network devices utilizing an authorization token
US20140165155A1 (en) * 2012-12-06 2014-06-12 Qualcomm Incorporated Management of network devices utilizing an authorization token
US20160085977A1 (en) * 2014-09-18 2016-03-24 Samsung Electronics Co., Ltd. Token-based scheme for granting permissions
US10176333B2 (en) * 2014-09-18 2019-01-08 Samsung Electronics Co., Ltd. Token-based scheme for granting permissions
US20180060595A1 (en) * 2016-08-31 2018-03-01 Vmware, Inc. Extensible token-based authorization
US10452328B2 (en) * 2016-08-31 2019-10-22 Vmware, Inc. Extensible token-based authorization
US10635828B2 (en) 2016-09-23 2020-04-28 Microsoft Technology Licensing, Llc Tokenized links with granular permissions
CN108123930A (en) * 2016-11-28 2018-06-05 Ssh通信安全公司 Access the host in computer network
US10425417B2 (en) * 2017-03-08 2019-09-24 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions
US10374808B2 (en) 2017-03-08 2019-08-06 Bank Of America Corporation Verification system for creating a secure link
US10432595B2 (en) 2017-03-08 2019-10-01 Bank Of America Corporation Secure session creation system utililizing multiple keys
US10361852B2 (en) 2017-03-08 2019-07-23 Bank Of America Corporation Secure verification system
US20180262504A1 (en) * 2017-03-08 2018-09-13 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions
US10812487B2 (en) 2017-03-08 2020-10-20 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions
US10848492B2 (en) 2017-03-08 2020-11-24 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions
US10862892B2 (en) 2017-03-08 2020-12-08 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions
US20190007415A1 (en) * 2017-06-29 2019-01-03 Microsoft Technology Licensing, Llc Access control manager
US10764299B2 (en) * 2017-06-29 2020-09-01 Microsoft Technology Licensing, Llc Access control manager
US11588822B2 (en) * 2017-10-19 2023-02-21 Beijing Jingdong Shangke Information Technology Co., Ltd. Right control method and apparatus for terminal device
US10909045B2 (en) * 2018-12-20 2021-02-02 Arm Limited System, method and apparatus for fine granularity access protection

Similar Documents

Publication Publication Date Title
US20030079136A1 (en) Security framework
US20210073806A1 (en) Data processing system utilising distributed ledger technology
EP2893686B1 (en) Ldap-based multi-customer in-cloud identity management system
US7356840B1 (en) Method and system for implementing security filters for reporting systems
US7231661B1 (en) Authorization services with external authentication
US8959613B2 (en) System and method for managing access to a plurality of servers in an organization
US6161139A (en) Administrative roles that govern access to administrative functions
KR100920871B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
US7206851B2 (en) Identifying dynamic groups
US8015596B2 (en) Shared credential store
US7516134B2 (en) Controlling access to a database using database internal and external authorization information
US20020112155A1 (en) User Authentication
US8307406B1 (en) Database application security
US8051168B1 (en) Method and system for security and user account integration by reporting systems with remote repositories
CA2339946A1 (en) Access control using attributes contained within public key certificates
WO2002005103A1 (en) Providing data to applications from an access system
WO2002005092A2 (en) Localized access
WO2002005487A1 (en) A system for logging access system events and providing identity management and access management for a network
CN107145531B (en) Distributed file system and user management method of distributed file system
US7801967B1 (en) Method and system for implementing database connection mapping for reporting systems
US9912642B1 (en) Authorization path secured electronic storage system
Miltchev et al. Secure and flexible global file sharing
Cisco User Databases
Cisco User Databases
US20100043049A1 (en) Identity and policy enabled collaboration

Legal Events

Date Code Title Description
AS Assignment

Owner name: NASDAQ STOCK MARKET, INC., THE, DISTRICT OF COLUMB

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ERICTA, EMMANUEL;SMITHWICK, SHARON;REEL/FRAME:013624/0605;SIGNING DATES FROM 20021019 TO 20021127

AS Assignment

Owner name: JP MORGAN CHASE BANK, N.A.,NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:017222/0503

Effective date: 20051208

Owner name: JP MORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:017222/0503

Effective date: 20051208

AS Assignment

Owner name: THE NASDAQ STOCK MARKET, INC.,NEW YORK

Free format text: TERMINATION AND RELEASE AGREEMENT;ASSIGNOR:JPMORGAN CHASE BANK N.A., AS ADMINISTRATIVE AGENT;REEL/FRAME:017492/0228

Effective date: 20060418

Owner name: THE NASDAQ STOCK MARKET, INC., NEW YORK

Free format text: TERMINATION AND RELEASE AGREEMENT;ASSIGNOR:JPMORGAN CHASE BANK N.A., AS ADMINISTRATIVE AGENT;REEL/FRAME:017492/0228

Effective date: 20060418

AS Assignment

Owner name: BANK OF AMERICA, N.A. AS COLLATERAL AGENT,NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:THE NASDAQ STOCK MARKET, INC.;REEL/FRAME:017507/0308

Effective date: 20060418

Owner name: BANK OF AMERICA, N.A. AS COLLATERAL AGENT, NEW YOR

Free format text: SECURITY AGREEMENT;ASSIGNOR:THE NASDAQ STOCK MARKET, INC.;REEL/FRAME:017507/0308

Effective date: 20060418

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: THE NASDAQ STOCK MARKET, INC., NEW YORK

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BANK OF AMERICA, N.A.;REEL/FRAME:019943/0733

Effective date: 20070928

Owner name: THE NASDAQ STOCK MARKET, INC.,NEW YORK

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BANK OF AMERICA, N.A.;REEL/FRAME:019943/0733

Effective date: 20070928

AS Assignment

Owner name: NASDAQ OMX GROUP, INC., THE, MARYLAND

Free format text: CHANGE OF NAME;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:020747/0105

Effective date: 20080227

Owner name: NASDAQ OMX GROUP, INC., THE,MARYLAND

Free format text: CHANGE OF NAME;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:020747/0105

Effective date: 20080227